In cryptographic systems such as a public key infrastructure (PKI), certificates are used to encrypt messages such that only a holder of a specific certificate can read the message. Certificates are also used to digitally sign information to prove that the certificate holder is the source of the information. To encrypt a message so that only a particular certificate holder can read it, the public key of the certificate holder needs to be obtained.
FIG. 1 illustrates a conventional system architecture 100 for obtaining and verifying certificate information. The system architecture 100 includes a Lightweight Directory Access Protocol (LDAP) server 103, a client 105, an OCSP responder 107, and an exemplary certificate owner Tom Jones 110.
Client 105 makes a certificate query 178 to the LDAP server 103 to find the certificate belonging to a particular user identity (e.g., Tom Jones). The LDAP server 103 includes an LDAP directory 114 having numerous entries, each entry listing a user identity 116 and a certificate 118. If the requested certificate is stored in the LDAP directory 114, then the LDAP server 103 returns a query response 180 that includes the certificate. For example, a certificate query for certificates belonging to Tom Jones would return certificate 344.
Client 105 then submits an OCSP response query 172 to the OCSP responder 107 in order to determine the revocation status on the certificate. The OCSP responder 107 generates an OCSP response 124 and returns an OCSP response transmittal 173 to the client 105. If the OCSP response 124 indicates that the certificate has not been revoked, then the client 105 uses an encrypter 130 and a public key contained in the certificate to encrypt 183 a message 132. The encrypted message is then sent 185 to the certificate owner, Tom Jones 110.